Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
11/08/2024, 19:56
Static task
static1
Behavioral task
behavioral1
Sample
13c4be2974cf679b448ffe6f17816cd0492680b5bab758118069aed4d10eb39d.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
13c4be2974cf679b448ffe6f17816cd0492680b5bab758118069aed4d10eb39d.exe
Resource
win10v2004-20240802-en
General
-
Target
13c4be2974cf679b448ffe6f17816cd0492680b5bab758118069aed4d10eb39d.exe
-
Size
1.1MB
-
MD5
1ec3aacd70ffb14f3431a57abacb988b
-
SHA1
63df42986534930ba0c24c539caa0c5be4d39f4a
-
SHA256
13c4be2974cf679b448ffe6f17816cd0492680b5bab758118069aed4d10eb39d
-
SHA512
633c9ecc1d5213b1e01249a67cca3e530db44b21147a47ba87d8bc7985265b28778f5426d11e105fb0a1dbef94bd386fa2f71a6f669ae51cf92d979d08ddc7ce
-
SSDEEP
24576:Wf9AiKGpEoQpkN2C4McuKo0GTNJpyT5RGeQa0s:W+GtCi27mVHyT+a0s
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 3636 Logo1_.exe 3080 13c4be2974cf679b448ffe6f17816cd0492680b5bab758118069aed4d10eb39d.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-gb\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\uk-ua\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x64\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\fr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sl-sl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\he-il\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\dotnet\shared\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ml\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\id-ID\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.MSPaint_2019.729.2301.0_neutral_~_8wekyb3d8bbwe\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\hu-hu\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\fr-fr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\root\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example1.Diagnostics\Diagnostics\Simple\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\fi-fi\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Videos\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\fr-ma\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\de-de\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\en-il\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\nl-nl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\de-de\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\en_GB\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\lua\http\js\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\sl-si\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\en-ae\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-fr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ja-jp\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sv-se\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Google\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\fr-FR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\he-il\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\eu-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ro-ro\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\TCUI-Toolkit\Images\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\be\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\is-IS\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\eu-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\sv-se\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\tr-tr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\sr-latn-cs\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\rundl132.exe 13c4be2974cf679b448ffe6f17816cd0492680b5bab758118069aed4d10eb39d.exe File created C:\Windows\Logo1_.exe 13c4be2974cf679b448ffe6f17816cd0492680b5bab758118069aed4d10eb39d.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\vDll.dll Logo1_.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 13c4be2974cf679b448ffe6f17816cd0492680b5bab758118069aed4d10eb39d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Logo1_.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 3636 Logo1_.exe 3636 Logo1_.exe 3636 Logo1_.exe 3636 Logo1_.exe 3636 Logo1_.exe 3636 Logo1_.exe 3636 Logo1_.exe 3636 Logo1_.exe 3636 Logo1_.exe 3636 Logo1_.exe 3636 Logo1_.exe 3636 Logo1_.exe 3636 Logo1_.exe 3636 Logo1_.exe 3636 Logo1_.exe 3636 Logo1_.exe 3636 Logo1_.exe 3636 Logo1_.exe 3636 Logo1_.exe 3636 Logo1_.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 4956 wrote to memory of 3492 4956 13c4be2974cf679b448ffe6f17816cd0492680b5bab758118069aed4d10eb39d.exe 86 PID 4956 wrote to memory of 3492 4956 13c4be2974cf679b448ffe6f17816cd0492680b5bab758118069aed4d10eb39d.exe 86 PID 4956 wrote to memory of 3492 4956 13c4be2974cf679b448ffe6f17816cd0492680b5bab758118069aed4d10eb39d.exe 86 PID 4956 wrote to memory of 3636 4956 13c4be2974cf679b448ffe6f17816cd0492680b5bab758118069aed4d10eb39d.exe 87 PID 4956 wrote to memory of 3636 4956 13c4be2974cf679b448ffe6f17816cd0492680b5bab758118069aed4d10eb39d.exe 87 PID 4956 wrote to memory of 3636 4956 13c4be2974cf679b448ffe6f17816cd0492680b5bab758118069aed4d10eb39d.exe 87 PID 3636 wrote to memory of 4976 3636 Logo1_.exe 89 PID 3636 wrote to memory of 4976 3636 Logo1_.exe 89 PID 3636 wrote to memory of 4976 3636 Logo1_.exe 89 PID 4976 wrote to memory of 1068 4976 net.exe 91 PID 4976 wrote to memory of 1068 4976 net.exe 91 PID 4976 wrote to memory of 1068 4976 net.exe 91 PID 3492 wrote to memory of 3080 3492 cmd.exe 92 PID 3492 wrote to memory of 3080 3492 cmd.exe 92 PID 3636 wrote to memory of 3484 3636 Logo1_.exe 56 PID 3636 wrote to memory of 3484 3636 Logo1_.exe 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3484
-
C:\Users\Admin\AppData\Local\Temp\13c4be2974cf679b448ffe6f17816cd0492680b5bab758118069aed4d10eb39d.exe"C:\Users\Admin\AppData\Local\Temp\13c4be2974cf679b448ffe6f17816cd0492680b5bab758118069aed4d10eb39d.exe"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4956 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8A6D.bat3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3492 -
C:\Users\Admin\AppData\Local\Temp\13c4be2974cf679b448ffe6f17816cd0492680b5bab758118069aed4d10eb39d.exe"C:\Users\Admin\AppData\Local\Temp\13c4be2974cf679b448ffe6f17816cd0492680b5bab758118069aed4d10eb39d.exe"4⤵
- Executes dropped EXE
PID:3080
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3636 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵
- System Location Discovery: System Language Discovery
PID:1068
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
247KB
MD5c956a319f9e83c47efe8f30acbcab757
SHA1f964d8f25a289f378a4024c3fa1f5e5c434547e8
SHA256fc6f3029b993595c3371740bbc1f7efa4b17d5aca1daea44987e39f38a3025f9
SHA512f66f2b06c720f27da9f6348d25cf1dd7035d87968293e72191eb005f74cf953546f7e3533f7d269dfa291c827b2efa072f5ae3134f86e4afaba6352cdc92282d
-
Filesize
573KB
MD539a67a77ab1a78736038d9ae9dacd472
SHA126a271cd615916609a10d6faff8b0c50933625b3
SHA256d5368cca1488205a338f6c4164ad686df03b43f22f303489eb8f079880295be4
SHA5128c0da41980ae18d3bfea44dc6f2b8db6dae72356230c4496433f875e83fe84dc63dc4ee1a6f161ad7a69a53627d6d5f0e3ac7060f00adc2b3c5b5f623f9568e9
-
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
Filesize639KB
MD5fd93240910d7b1f0744b83d0f7bc706a
SHA1508d162f4e5c8541f6cc1389a9f83c049bf848c0
SHA2563803edada5f998dc92eb477e572fb4785eb4003285dab3ad2e0bc269e7ff2152
SHA512d6f65e92a7afddd3e1879449a64943daeaa435fa217f386f7bee28a602a091998bf31bc29c01879228e705dcef59794c3361aa4b3417a2b653d9d40aaf764500
-
Filesize
722B
MD589fc7da3ee1b40b17aea4779a4ef46ab
SHA1dd83c1d46f6e66e97ed2e89cd7282aa581b33f63
SHA256a7190ccc33553bf70f460f242d05016ad9024b1c415fd82cbdffcd649d342cec
SHA51265f1dbb32a474297f10ab33a3226aa9de5e3a1c398fc7bf3b5e758705571eecad3756e356011ce675ceb5b98508a4797c623511622ff47ea2d69541b063500fe
-
C:\Users\Admin\AppData\Local\Temp\13c4be2974cf679b448ffe6f17816cd0492680b5bab758118069aed4d10eb39d.exe.exe
Filesize1.1MB
MD509239e688ff75cd636ac932100b243f9
SHA12a7964c81b9a34bb77c4e3676e7d31b7d2668297
SHA256a36ef4c18a08ee8d8c0d10d96ab37a0c3ce22a8f328733af8c0451579e4edcb1
SHA512686708321d8756ddcfa2d1585ca7261be0ece33bd9d134888cdb4655b8484c727b34b4ac7f12d919184e85ab65088bc565549c262289cb64f9aeca0508290825
-
Filesize
29KB
MD544e459665555aa71b27739a4c8e0ce2e
SHA1a356a45529a77684280cab95f9658263facadedc
SHA256791918b0fdd6d93878a051a648a2d60d04f2e12fb5428d138dcc2b63fbf94c13
SHA512ede586c602defafd40a4507989f664d3345a5b0b2172251e10f84d87e44ee56b9546e04c7f7aeb621d72be7714de56f01ca06c0cf266938165d3408cc92969b7
-
Filesize
9B
MD579a2fb76ad00a8ac07f11b6a179f5297
SHA172b4f589fd7945d8c80b370d1d3a1f2467f3eb81
SHA2562f723e98c3a3556269a4d81d4a27d6a0ab13a84c5ba737493c07354a2608684f
SHA5123a21c2e60e8e035fb90d428e86bb927077d8354a16f1abc291ccba4a4d7fee4f51cf781fa9202e5602a88ca70a6ba264ac49762100be5f6e09a2ec930e098168